ID CVE-2009-3615
Summary The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client.
References
Vulnerable Configurations
  • cpe:2.3:a:adium:adium:1.3.3
    cpe:2.3:a:adium:adium:1.3.3
  • cpe:2.3:a:adium:adium:1.3.4
    cpe:2.3:a:adium:adium:1.3.4
  • cpe:2.3:a:adium:adium:1.3.5
    cpe:2.3:a:adium:adium:1.3.5
  • cpe:2.3:a:adium:adium:1.0
    cpe:2.3:a:adium:adium:1.0
  • cpe:2.3:a:adium:adium:1.0.1
    cpe:2.3:a:adium:adium:1.0.1
  • cpe:2.3:a:adium:adium:1.3.1
    cpe:2.3:a:adium:adium:1.3.1
  • cpe:2.3:a:adium:adium:1.0.2
    cpe:2.3:a:adium:adium:1.0.2
  • cpe:2.3:a:adium:adium:1.3.2
    cpe:2.3:a:adium:adium:1.3.2
  • cpe:2.3:a:adium:adium:1.2.7
    cpe:2.3:a:adium:adium:1.2.7
  • cpe:2.3:a:adium:adium:1.0.3
    cpe:2.3:a:adium:adium:1.0.3
  • cpe:2.3:a:adium:adium:1.3
    cpe:2.3:a:adium:adium:1.3
  • cpe:2.3:a:adium:adium:1.0.4
    cpe:2.3:a:adium:adium:1.0.4
  • cpe:2.3:a:adium:adium:1.1
    cpe:2.3:a:adium:adium:1.1
  • cpe:2.3:a:adium:adium:1.0.5
    cpe:2.3:a:adium:adium:1.0.5
  • cpe:2.3:a:adium:adium:1.1.2
    cpe:2.3:a:adium:adium:1.1.2
  • cpe:2.3:a:adium:adium:1.1.1
    cpe:2.3:a:adium:adium:1.1.1
  • cpe:2.3:a:adium:adium:1.1.4
    cpe:2.3:a:adium:adium:1.1.4
  • cpe:2.3:a:adium:adium:1.1.3
    cpe:2.3:a:adium:adium:1.1.3
  • Pidgin 2.6.1
    cpe:2.3:a:pidgin:pidgin:2.6.1
  • Pidgin 2.6.0
    cpe:2.3:a:pidgin:pidgin:2.6.0
  • Pidgin 2.5.9
    cpe:2.3:a:pidgin:pidgin:2.5.9
  • Pidgin 2.5.8
    cpe:2.3:a:pidgin:pidgin:2.5.8
  • Pidgin 2.5.6
    cpe:2.3:a:pidgin:pidgin:2.5.7
  • Pidgin 2.5.6
    cpe:2.3:a:pidgin:pidgin:2.5.6
  • Pidgin 2.5.5
    cpe:2.3:a:pidgin:pidgin:2.5.5
  • Pidgin 2.5.4
    cpe:2.3:a:pidgin:pidgin:2.5.4
  • Pidgin 2.5.3
    cpe:2.3:a:pidgin:pidgin:2.5.3
  • Pidgin 2.5.2
    cpe:2.3:a:pidgin:pidgin:2.5.2
  • Pidgin 2.5.1
    cpe:2.3:a:pidgin:pidgin:2.5.1
  • Pidgin 2.5.0
    cpe:2.3:a:pidgin:pidgin:2.5.0
  • Pidgin 2.4.3
    cpe:2.3:a:pidgin:pidgin:2.4.3
  • Pidgin 2.4.2
    cpe:2.3:a:pidgin:pidgin:2.4.2
  • Pidgin 2.4.1
    cpe:2.3:a:pidgin:pidgin:2.4.1
  • Pidgin 2.4.0
    cpe:2.3:a:pidgin:pidgin:2.4.0
  • Pidgin 2.3.1
    cpe:2.3:a:pidgin:pidgin:2.3.1
  • Pidgin 2.3.0
    cpe:2.3:a:pidgin:pidgin:2.3.0
  • Pidgin 2.2.2
    cpe:2.3:a:pidgin:pidgin:2.2.2
  • Pidgin 2.2.1
    cpe:2.3:a:pidgin:pidgin:2.2.1
  • Pidgin 2.2.0
    cpe:2.3:a:pidgin:pidgin:2.2.0
  • Pidgin 2.1.1
    cpe:2.3:a:pidgin:pidgin:2.1.1
  • Pidgin 2.1.0
    cpe:2.3:a:pidgin:pidgin:2.1.0
  • Pidgin 2.0.2
    cpe:2.3:a:pidgin:pidgin:2.0.2
  • Pidgin 2.0.1
    cpe:2.3:a:pidgin:pidgin:2.0.1
  • Pidgin 2.0.0
    cpe:2.3:a:pidgin:pidgin:2.0.0
  • cpe:2.3:a:adium:adium:1.3.6
    cpe:2.3:a:adium:adium:1.3.6
  • Pidgin 2.6.2
    cpe:2.3:a:pidgin:pidgin:2.6.2
CVSS
Base: 5.0 (as of 21-10-2009 - 07:46)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_143318-03.NASL
    description GNOME 2.6.0_x86: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10
    last seen 2018-10-31
    modified 2018-10-29
    plugin id 108035
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108035
    title Solaris 10 (x86) : 143318-03
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1536.NASL
    description From Red Hat Security Advisory 2009:1536 : Updated pidgin packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for Communication in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) These packages upgrade Pidgin to version 2.6.3. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct this issue. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 67951
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67951
    title Oracle Linux 4 : pidgin (ELSA-2009-1536)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1536.NASL
    description Updated pidgin packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for Communication in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) These packages upgrade Pidgin to version 2.6.3. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct this issue. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 42330
    published 2009-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42330
    title CentOS 4 / 5 : pidgin (CESA-2009:1536)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_143317-03.NASL
    description GNOME 2.6.0: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10
    last seen 2018-10-27
    modified 2018-10-26
    plugin id 107540
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107540
    title Solaris 10 (sparc) : 143317-03
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2009-290-02.NASL
    description New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix a security issue.
    last seen 2019-02-21
    modified 2013-06-01
    plugin id 42169
    published 2009-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42169
    title Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : pidgin (SSA:2009-290-02)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-10702.NASL
    description This update fixes : - Bug #529357 - CVE-2009-3615 Pidgin: Invalid pointer dereference (crash) after receiving contacts from SIM IM client Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 42195
    published 2009-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42195
    title Fedora 10 : pidgin-2.6.3-2.fc10 (2009-10702)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-10662.NASL
    description This update fixes : - Bug #529357 - CVE-2009-3615 Pidgin: Invalid pointer dereference (crash) after receiving contacts from SIM IM client Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 42193
    published 2009-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42193
    title Fedora 11 : pidgin-2.6.3-2.fc11 (2009-10662)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20091029_PIDGIN_ON_SL3_X.NASL
    description An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) - SL3 only A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) - SL3 only Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60686
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60686
    title Scientific Linux Security Update : pidgin on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1932.NASL
    description It was discovered that incorrect pointer handling in the purple library, an internal component of the multi-protocol instant messaging client Pidgin, could lead to denial of service or the execution of arbitrary code through malformed contact requests.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 44797
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44797
    title Debian DSA-1932-1 : pidgin - programming error
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1536.NASL
    description Updated pidgin packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for Communication in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) These packages upgrade Pidgin to version 2.6.3. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct this issue. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 42313
    published 2009-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42313
    title RHEL 4 / 5 : pidgin (RHSA-2009:1536)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-085.NASL
    description Security vulnerabilities has been identified and fixed in pidgin : The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277). In a user in a multi-user chat room has a nickname containing '
    ' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420). oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423). Packages for 2009.0 are provided due to the Extended Maintenance Program. This update provides pidgin 2.6.6, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 46177
    published 2010-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46177
    title Mandriva Linux Security Advisory : pidgin (MDVSA-2010:085)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1535.NASL
    description An updated pidgin package that fixes several security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) All Pidgin users should upgrade to this updated package, which contains backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 42309
    published 2009-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42309
    title CentOS 3 : pidgin (CESA-2009:1535)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_143318.NASL
    description GNOME 2.6.0_x86: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10 This plugin has been deprecated and either replaced with individual 143318 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 71703
    published 2013-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71703
    title Solaris 10 (x86) : 143318-03 (deprecated)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-886-1.NASL
    description It was discovered that Pidgin did not properly handle certain topic messages in the IRC protocol handler. If a user were tricked into connecting to a malicious IRC server, an attacker could cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703) It was discovered that Pidgin did not properly enforce the 'require TLS/SSL' setting when connecting to certain older Jabber servers. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026) It was discovered that Pidgin did not properly handle certain SLP invite messages in the MSN protocol handler. A remote attacker could send a specially crafted invite message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3083) It was discovered that Pidgin did not properly handle certain errors in the XMPP protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3085) It was discovered that Pidgin did not properly handle malformed contact-list data in the OSCAR protocol handler. A remote attacker could send specially crafted contact-list data and cause Pidgin to crash, leading to a denial of service. (CVE-2009-3615) It was discovered that Pidgin did not properly handle custom smiley requests in the MSN protocol handler. A remote attacker could send a specially crafted filename in a custom smiley request and obtain arbitrary files via directory traversal. This issue only affected Ubuntu 8.10, Ubuntu 9.04 and Ubuntu 9.10. (CVE-2010-0013) Pidgin for Ubuntu 8.04 LTS was also updated to fix connection issues with the MSN protocol. USN-675-1 and USN-781-1 provided updated Pidgin packages to fix multiple security vulnerabilities in Ubuntu 8.04 LTS. The security patches to fix CVE-2008-2955 and CVE-2009-1376 were incomplete. This update corrects the problem. It was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955) It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 44057
    published 2010-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44057
    title Ubuntu 8.04 LTS / 8.10 / 9.04 / 9.10 : pidgin vulnerabilities (USN-886-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1535.NASL
    description From Red Hat Security Advisory 2009:1535 : An updated pidgin package that fixes several security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) All Pidgin users should upgrade to this updated package, which contains backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 67950
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67950
    title Oracle Linux 3 : pidgin (ELSA-2009-1535)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1535.NASL
    description An updated pidgin package that fixes several security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) All Pidgin users should upgrade to this updated package, which contains backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 42312
    published 2009-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42312
    title RHEL 3 : pidgin (RHSA-2009:1535)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FINCH-6710.NASL
    description This update of pidgin fixes the following issues : - Allowed to send confidential data unencrypted even if SSL was chosen by user. (CVE-2009-3026: CVSS v2 Base Score: 5.0) - Remote denial of service in yahoo IM plug-in. (CVE-2009-3025: CVSS v2 Base Score: 4.3) - Remote denial of service in MSN plug-in. (CVE-2009-3083: CVSS v2 Base Score: 5.0) - Remote denial of service in MSN plug-in. (CVE-2009-3084: CVSS v2 Base Score: 5.0) - Remote denial of service in XMPP plug-in. (CVE-2009-3085: CVSS v2 Base Score: 5.0) - Remote denial of service in ICQ plug-in. (CVE-2009-3615: CVSS v2 Base Score: 5.0) - QQ protocol upgrade Migrate all QQ accounts to QQ2008.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 51726
    published 2011-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51726
    title SuSE 10 Security Update : pidgin (ZYPP Patch Number 6710)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_FINCH-090221.NASL
    description This update of pidgin fixes the following issues : - Allowed to send confidential data unencrypted even if SSL was chosen by user. (CVE-2009-3026: CVSS v2 Base Score: 5.0) - Remote denial of service in yahoo IM plug-in. (CVE-2009-3025: CVSS v2 Base Score: 4.3) - Remote denial of service in MSN plug-in. (CVE-2009-3083: CVSS v2 Base Score: 5.0) - Remote denial of service in MSN plug-in. (CVE-2009-3084: CVSS v2 Base Score: 5.0) - Remote denial of service in XMPP plug-in. (CVE-2009-3085: CVSS v2 Base Score: 5.0) - Remote denial of service in ICQ plug-in. (CVE-2009-3615: CVSS v2 Base Score: 5.0)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 42989
    published 2009-12-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42989
    title SuSE 11 Security Update : pidgin (SAT Patch Number 1604)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FINCH-6709.NASL
    description This update of pidgin fixes the following issues : - Allowed to send confidential data unencrypted even if SSL was chosen by user. (CVE-2009-3026: CVSS v2 Base Score: 5.0) - Remote denial of service in yahoo IM plug-in. (CVE-2009-3025: CVSS v2 Base Score: 4.3) - Remote denial of service in MSN plug-in. (CVE-2009-3083: CVSS v2 Base Score: 5.0) - Remote denial of service in MSN plug-in. (CVE-2009-3084: CVSS v2 Base Score: 5.0) - Remote denial of service in XMPP plug-in. (CVE-2009-3085: CVSS v2 Base Score: 5.0) - Remote denial of service in ICQ plug-in. (CVE-2009-3615: CVSS v2 Base Score: 5.0) - QQ protocol upgrade Migrate all QQ accounts to QQ2008.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 51725
    published 2011-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51725
    title SuSE 10 Security Update : pidgin (ZYPP Patch Number 6709)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_FINCH-091024.NASL
    description This update of pidgin fixes the following issues : - CVE-2009-3026: CVSS v2 Base Score: 5.0 Allowed to send confidential data unencrypted even if SSL was chosen by user. - CVE-2009-3025: CVSS v2 Base Score: 4.3 Remote denial of service in yahoo IM plug-in. - CVE-2009-3083: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3084: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3085: CVSS v2 Base Score: 5.0 Remote denial of service in XMPP plug-in. - CVE-2009-3615: CVSS v2 Base Score: 5.0 Remote denial of service in ICQ plug-in. - QQ protocol upgrade Migrate all QQ accounts to QQ2008.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 43054
    published 2009-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43054
    title openSUSE Security Update : finch (finch-1625)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_FINCH-080606.NASL
    description This update of pidgin fixes the following issues : - CVE-2009-3026: CVSS v2 Base Score: 5.0 Allowed to send confidential data unencrypted even if SSL was chosen by user. - CVE-2009-3025: CVSS v2 Base Score: 4.3 Remote denial of service in yahoo IM plug-in. - CVE-2009-3083: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3084: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3085: CVSS v2 Base Score: 5.0 Remote denial of service in XMPP plug-in. - CVE-2009-3615: CVSS v2 Base Score: 5.0 Remote denial of service in ICQ plug-in. - QQ protocol upgrade Migrate all QQ accounts to QQ2008.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 43050
    published 2009-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43050
    title openSUSE Security Update : finch (finch-1625)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_FINCH-081203.NASL
    description This update of pidgin fixes the following issues : - CVE-2009-3026: CVSS v2 Base Score: 5.0 Allowed to send confidential data unencrypted even if SSL was chosen by user. - CVE-2009-3025: CVSS v2 Base Score: 4.3 Remote denial of service in yahoo IM plug-in. - CVE-2009-3083: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3084: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3085: CVSS v2 Base Score: 5.0 Remote denial of service in XMPP plug-in. - CVE-2009-3615: CVSS v2 Base Score: 5.0 Remote denial of service in ICQ plug-in. - QQ protocol upgrade Migrate all QQ accounts to QQ2008.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 43052
    published 2009-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43052
    title openSUSE Security Update : finch (finch-1625)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-001.NASL
    description Security vulnerabilities has been identified and fixed in pidgin : The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides pidgin 2.6.5, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 43853
    published 2010-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43853
    title Mandriva Linux Security Advisory : pidgin (MDVSA-2010:001)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_143317.NASL
    description GNOME 2.6.0: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10 This plugin has been deprecated and either replaced with individual 143317 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 71656
    published 2013-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71656
    title Solaris 10 (sparc) : 143317-03 (deprecated)
oval via4
  • accepted 2013-09-30T04:01:09.686-04:00
    class vulnerability
    contributors
    name Shane Shaffer
    organization G2, Inc.
    definition_extensions
    comment Pidgin is installed
    oval oval:org.mitre.oval:def:12366
    description The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client.
    family windows
    id oval:org.mitre.oval:def:18388
    status accepted
    submitted 2013-08-16T15:36:10.221-04:00
    title The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client
    version 4
  • accepted 2013-04-29T04:19:16.114-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client.
    family unix
    id oval:org.mitre.oval:def:9414
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client.
    version 24
redhat via4
advisories
  • bugzilla
    id 529357
    title CVE-2009-3615 Pidgin: Invalid pointer dereference (crash) after receiving contacts from SIM IM client
    oval
    AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhba:tst:20070026001
    • comment pidgin is earlier than 0:1.5.1-6.el3
      oval oval:com.redhat.rhsa:tst:20091535002
    • comment pidgin is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20080584003
    rhsa
    id RHSA-2009:1535
    released 2009-10-29
    severity Moderate
    title RHSA-2009:1535: pidgin security update (Moderate)
  • bugzilla
    id 529357
    title CVE-2009-3615 Pidgin: Invalid pointer dereference (crash) after receiving contacts from SIM IM client
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304001
      • OR
        • AND
          • comment finch is earlier than 0:2.6.3-2.el4
            oval oval:com.redhat.rhsa:tst:20091536018
          • comment finch is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20081023015
        • AND
          • comment finch-devel is earlier than 0:2.6.3-2.el4
            oval oval:com.redhat.rhsa:tst:20091536012
          • comment finch-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20081023013
        • AND
          • comment libpurple is earlier than 0:2.6.3-2.el4
            oval oval:com.redhat.rhsa:tst:20091536014
          • comment libpurple is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20081023005
        • AND
          • comment libpurple-devel is earlier than 0:2.6.3-2.el4
            oval oval:com.redhat.rhsa:tst:20091536016
          • comment libpurple-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20081023017
        • AND
          • comment libpurple-perl is earlier than 0:2.6.3-2.el4
            oval oval:com.redhat.rhsa:tst:20091536006
          • comment libpurple-perl is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20081023007
        • AND
          • comment libpurple-tcl is earlier than 0:2.6.3-2.el4
            oval oval:com.redhat.rhsa:tst:20091536010
          • comment libpurple-tcl is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20081023019
        • AND
          • comment pidgin is earlier than 0:2.6.3-2.el4
            oval oval:com.redhat.rhsa:tst:20091536002
          • comment pidgin is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20080584003
        • AND
          • comment pidgin-devel is earlier than 0:2.6.3-2.el4
            oval oval:com.redhat.rhsa:tst:20091536008
          • comment pidgin-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20081023009
        • AND
          • comment pidgin-perl is earlier than 0:2.6.3-2.el4
            oval oval:com.redhat.rhsa:tst:20091536004
          • comment pidgin-perl is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20081023011
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331001
      • OR
        • AND
          • comment finch is earlier than 0:2.6.3-2.el5
            oval oval:com.redhat.rhsa:tst:20091536033
          • comment finch is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080584016
        • AND
          • comment finch-devel is earlier than 0:2.6.3-2.el5
            oval oval:com.redhat.rhsa:tst:20091536037
          • comment finch-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080584014
        • AND
          • comment libpurple is earlier than 0:2.6.3-2.el5
            oval oval:com.redhat.rhsa:tst:20091536031
          • comment libpurple is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080584020
        • AND
          • comment libpurple-devel is earlier than 0:2.6.3-2.el5
            oval oval:com.redhat.rhsa:tst:20091536027
          • comment libpurple-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080584018
        • AND
          • comment libpurple-perl is earlier than 0:2.6.3-2.el5
            oval oval:com.redhat.rhsa:tst:20091536023
          • comment libpurple-perl is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080584010
        • AND
          • comment libpurple-tcl is earlier than 0:2.6.3-2.el5
            oval oval:com.redhat.rhsa:tst:20091536025
          • comment libpurple-tcl is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080584012
        • AND
          • comment pidgin is earlier than 0:2.6.3-2.el5
            oval oval:com.redhat.rhsa:tst:20091536021
          • comment pidgin is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080584008
        • AND
          • comment pidgin-devel is earlier than 0:2.6.3-2.el5
            oval oval:com.redhat.rhsa:tst:20091536035
          • comment pidgin-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080584024
        • AND
          • comment pidgin-perl is earlier than 0:2.6.3-2.el5
            oval oval:com.redhat.rhsa:tst:20091536029
          • comment pidgin-perl is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20080584022
    rhsa
    id RHSA-2009:1536
    released 2009-10-29
    severity Moderate
    title RHSA-2009:1536: pidgin security update (Moderate)
rpms
  • pidgin-0:1.5.1-6.el3
  • finch-0:2.6.3-2.el4
  • finch-devel-0:2.6.3-2.el4
  • libpurple-0:2.6.3-2.el4
  • libpurple-devel-0:2.6.3-2.el4
  • libpurple-perl-0:2.6.3-2.el4
  • libpurple-tcl-0:2.6.3-2.el4
  • pidgin-0:2.6.3-2.el4
  • pidgin-devel-0:2.6.3-2.el4
  • pidgin-perl-0:2.6.3-2.el4
  • finch-0:2.6.3-2.el5
  • finch-devel-0:2.6.3-2.el5
  • libpurple-0:2.6.3-2.el5
  • libpurple-devel-0:2.6.3-2.el5
  • libpurple-perl-0:2.6.3-2.el5
  • libpurple-tcl-0:2.6.3-2.el5
  • pidgin-0:2.6.3-2.el5
  • pidgin-devel-0:2.6.3-2.el5
  • pidgin-perl-0:2.6.3-2.el5
refmap via4
bid 36719
confirm
mandriva MDVSA-2010:085
secunia
  • 37017
  • 37072
vupen
  • ADV-2009-2949
  • ADV-2009-2951
  • ADV-2010-1020
xf pidgin-oscar-protocol-dos(53807)
Last major update 02-11-2013 - 22:53
Published 20-10-2009 - 13:30
Last modified 18-09-2017 - 21:29
Back to Top